Table of Contents

sudo

The sudo command allows a user to run a command as root, or some other user.
It has several benefits over su:

It can restrict who has access, and what commands they may run.

It can be configured to not require a password in some situations.

It can log commands that the user runs.

This page documents the configuration of sudo for Debian 6.0.
Previous versions of Debian did things quite a bit differently – see versions of this page prior to 2012-01-28 for those details.

Prerequisites

Root Password

We're going to configure sudo to require the root password in most cases.
If you configured Debian during installation to not have a root password, be sure to add one:

passwd root # NOTE: Interactive!

Admin Users

Debian automatically creates a group named sudo.
The members of that group have sudo access (to run anything as root) granted by the default configuration.

When installing Debian 6.0, the first user is added to the sudo group.
Any other admin users will have to be added to that group.
You can use one of these commands:

USERNAME='admin_user'
usermod --append --groups sudo $USERNAME

USERNAME='admin_user'
adduser $USERNAME sudo

Installation

It appears that Debian 6.0 will install sudo by default, if you don't specify a root password during installation, or if you select the Desktop task.

Our installations of Debian typically do not include sudo by default, so we have to install it manually:

apt-get install sudo

Note that if you use LDAP for user accounts, you'll need to install sudo-ldap instead of sudo.

Configuration

Require Root Password

By default, sudo requires a user to type in their own password in order to run a command.
For added security, we prefer to use a different password to run commands as root.
This way, if a user password is compromised, the attacker cannot run commands as root without additional work.

Notes

Allowing sudo without a password should be limited as much as possible. Be sure that the commands cannot be used to make arbitrary changes to files or run arbitrary commands.

Previous versions of Debian allowed users in the sudo group to use sudo to perform any command without a password. This is not a good security practice. On those systems, we used a different group (wheel) and set that group to be allowed to run any command with a password.

Note that if you allow a user to run a command as root, and the command allows them to shell out, they can then effectively run any command as root. So don't give access to things like vi, unless you're willing to give access to ALL commands.

You should always use visudo when editing the configuration files. This will prevent you from saving an invalid configuration file. For programmatically-written files, the -c option can be used.

If you use sudo to create a new file within /etc/sudoers.d, you'll get a warning message when changing the permissions on the file, when you try using sudo to change the permissions.

TODO

Add some more limited commands for some users.

Investigate the differences between the default set of environment variables and the ones we're using.

Take some action if the visudo check of the configuration files fails.